TwonkyMedia Server is a DLNA-compliant, UPnP AV-compliant software
that allows to share and stream media to hundreds of popular consumer
electronics devices. It is available for Windows, Linux, Macintosh and
for various different architectures.
TwonkyMedia Server is bundled on a variety of CE and NAS devices from
leading manufacturers, including: Buffalo LinkStation, HP Media Vault,
LaCie Ethernet Disk, Philips Streamium music players, Western Digital
Share Space.

This script allows the attacker to read all the server configuration
variables, including the administrator's username and password.
(The victim, if not already logged on the twonky media server
configuration panel, is asked for username and password)

2nd VULNERABILITY:
==================

Form inputs are not well validated, so an attacker can even run a
Stored Cross-Site Scripting. Most of the pages of the management
interface are vulnerable.
As an example, writing the following string in one of the "Content
Locations" fields in the "Sharing" setup page results in a Stored XSS,
which can be exploited by a malicious user every time the victim
visits the config page, once infected:

Directory" /><script> alert('stored!');</script><br

In this way, the page can arbitrarily and permanently be modified by
an attacker, who can inject any kind of content in it.

In addition, leveraging one of these vulnerabilities, an attacker can
modify any server configuration parameter. As an example, to modify
the administrator username and password once the victim visits the
page, it is sufficient to include a script that sends 2 requests at:

This vulnerability has been fixed on versions 4.4.18+, 5.0.66+, and 5.1.X.

2nd Vulnerability:
==================
At this date, all versions of TwonkyMedia Server are still vulnerable.

5. SOLUTIONS

To fix the 1st vulnerability, upgrade to the latest version of
TwonkyMedia Server. Latest builds are available at:
http://twonkyforum.com/viewtopic.php?f=2&t=6678

6. DISCLOSURE TIMELINE

2009-06-01: Vendor notified
2009-06-08: Vendor response
2009-06-10: Status update from the development team
2009-06-10: Sent email stating that I'll publish the advisory once new
versions are released
2009-10-06: New releases checked; 2nd vulnerability was not fixed.
Vendor notified
2009-10-21: No response received; release of this advisory